United States: Be Your CEO’s Hero! Use ISO 9001/14001 to Reduce the "Enron" Risk

Introduction

What keeps your CEO up at night? It’s risk!! What are some of these risks? Of course there are always the financial and competitive risks. But now, because of the Sarbanes-Oxley Act (SOX), the CEOs and CFOs of public companies must certify their company’s financial statements. Also, each year they must certify the effectiveness of the system of internal controls mandated by the Act. In the past, top management could claim ignorance of their organizations’ operational failures. This no longer holds. Lack of knowledge of problems is not an excuse. And, top management is now risking civil and criminal penalties.

Last October, Paul Palmes¹ and I wrote an article for Quality Progress² describing how quality and environmental management systems (QMS/EMS) can help top management maintain effective corporate governance and satisfy the requirements of SOX.³ Since then, a team has been formed to identify how ISO 9001:2000⁴ and ISO 14001:1996⁵ can be used to reduce the risk that CEOs, CFOs and the Board of Directors face when complying with SOX. Note that any comprehensive quality and environmental management systems can be used in place of the ISO standards.

Our review of SOX identified the fact that Top management needs to obtain better information about the effectiveness of their organizations. The Act mandates a system of internal controls to provide management of risk in the organization. A system developed by the COSO Committee in 1985⁶ provides the basis for internal controls used by many organizations.⁷ This system is the foundation for good governance which preceded SOX.

There are five components to the COSO set of internal controls:

• Control environment: Sets the tone of an organization and is the foundation of the other components.

• Information and Communication: Provides the information needed for people to carry out their responsibilities.

• Risk management: Provides methods of identifying and managing the organization’s risks.

• Monitoring: Provides assessment of the organization’s internal control performance over time.

• Control Activities: Consists of the processes needed to carry out the management’s directives.

Let us compare these components of COSO internal controls⁸ with clauses of ISO 9001 and ISO 14001.

For COSO, the control environment is the foundation of the guidelines which provide discipline and structure. It includes the way management assigns authority and responsibility, and organizes and develops its people.

For QMS/EMS, ISO 9001 and ISO 14001 require identification of an organization’s processes, their sequence and interaction and the definition of quality and environmental policies. Further, ISO 9001 requires the establishment of quality objectives and ISO 14001 requires definition of environmental objectives and targets. Both standards require control of documents and records. Both standards require that personnel be "competent based on education, training, skills and experience."

To satisfy COSO, information must be identified, captured and communicated so that people can carry out their responsibilities. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously.

For QMS/EMS ISO 9001 and ISO 14001 are used to enhance the decision making process through information and communication within the organization. Both standards require communication with customers and suppliers.

For COSO, risks must be identified, analyzed and managed. Key inputs are corporate objectives linked at different levels and internally consistent. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.

The data obtained in ISO 9001 as a result of process and product measurements can be used in risk assessment and continual improvement. ISO 9001 requires analysis of this data, turning it into information that can be used to identify risks to the organization. The standard requires trend analysis which is a good predictor of developing problems.

ISO 14001 requires identification of environmental aspects which can interact with the environment and in addition the standard requires identification of significant aspects and the operations and activities associated with these aspects. Again, we have an early warning tool that can be used to identify impending risk.

In the COSO guidelines, monitoring requires assessing the quality of system performance over time. This is done through continuous monitoring of processes and periodic assessments. It includes regular management and supervisory activities, and other actions personnel take in performing their duties.

ISO 9001 requires monitoring and measurement of processes and products. The raw data obtained here may provide the first warnings of impending problems. Another monitoring activity, measurement and analysis of customer satisfaction in ISO 9001 is also a tool for early warning of organizational concerns. Implementing ISO 9001 turns this data into information. ISO 14001 requires monitoring and measurement of key characteristics of operations and activities that may result in significant environmental impacts.

The COSO control activities are the actions taken to address risk and achieve the objectives of the corporation. Control activities occur throughout the organization, at all levels and in all functions.

In ISO 9001, the key to controlling the health of an organization is the "improvement loop." As part of the loop, ISO 9001 requires documented procedures to define corrective and preventive actions. Both tools provide methodologies to manage or eliminate risks to the organization. One source of corrective actions is the requirement to implement a documented procedure for internal audits and provide follow-up activities through corrective action

ISO 14001 requires taking corrective and preventive actions to mitigate impacts and reduce environmental risk. In addition, ISO 14001 requires management of non-conformances, taking actions to reduce impacts using corrective and preventive actions. For both environmental and quality management systems, the result is improved alignment of the organization with basic corporate objectives.

Top management asserts control of risk through the management review process in ISO 9001 and ISO 14001. These meetings are used to pull together the key bits of information and actions that are used to set the direction of the organization and to implement risk reduction activities.

The Otter Tail Corporation of Fargo, North Dakota, operates in five segments: electric, plastics, manufacturing, health services and other business operations. Paul Palmes, a member of our team, is the quality assurance director of the Northern Pipe Products Division which produces polyvinyl chloride pipe in the upper Midwest and Western regions of the United States. Paul is working with the Audit Committee Chairperson of Otter Tail and his staff to develop the methodology to satisfy the Sarbanes-Oxley Act.

Where Quality Management comes into the picture is in the development, testing and auditing of these processes. The position we’ve taken is that we, the ISO trained auditors, have been in this arena for quite a while. We can help. We have experience and we are already attending to most of the operational auditing of our companies.

Otter Tail has thus far heard and appreciates this willingness to contribute. Paul is a member of the development team that is identifying and assessing risk and documenting the SOX supporting processes. Otter Tail is at the end of the cycle following a predetermined time line that has led to audits being conducted at the present time (July 2004). By the end of this year the organization expects to be at full, demonstrable Sarbanes Oxley Section 404 compliance.

The message to the quality community is that integrating traditional quality management auditing and process control into the thinking of top management requires both a willingness and awareness to see Sarbanes Oxley as an opportunity. The clock is ticking. Compliance is required for most companies by July 15, 2005 and most public companies are already working on this project. The quality community can help because we bring experience in process development, auditing and non-conformance management. In fact, at a recent meeting of the SOX Committee a CFO from one of the Otter Tail subsidiaries wondered "if anyone there could actually describe exactly what a process really is." Paul pointed out to the committee that the quality community provides added resources and depth at little or no additional cost to the organizations.

The graphical picture shown below describes how processes are integrated to support the SOX effort. First of all, risks are assessed and are provided as input to the system of internal controls. The controls are tested, and if there are material weaknesses they are addressed and the system of controls is modified to improve and reduce the weaknesses. The controls are also tested by external auditors. The end result is a knowledgeable attestation of effectiveness of the controls by management, which is backed up by attestation from the external auditors.

As Paul continues to support Otter Tail he has gained a valuable "place at the table." The figure below illustrates the general methodology Otter Tail uses to satisfy the Sarbanes-Oxley Act.

Three goals of corporate governance are management of risk, effective process management and continual improvement of company performance. Quality and environmental management systems such as ISO 9001:2000 and ISO 14001:1996 are excellent tools for accomplishing these objectives. The board should move the corporate mentality from correcting problems to preventing them. Accomplishing these goals will provide an excellent step toward satisfying the Sarbanes-Oxley Act.

Quality and environmental system practitioners must make their capabilities known to top management. We suggest developing an elevator speech such as the following:

I would like to give credit to the team working on the methodology to improve corporate governance. Paul Palmes is helping his company, Northern Pipe Products Inc of the OtterTail Corporation, develop the methodology. Lawrence R. Liebesman, the environmental partner in Holland & Knight LLP, is providing the legal and environmental support. John Walz, quality management consultant, is our web surfer and is supporting me in the development of our presentations. Michael Fishman, Fishman Consulting, is helping with the development of tools and is providing the chatroom website: http://216.103.218.210/fcgchat. Kay Combs, Synergy Spark LLC, is providing the financial auditing background. The team has published four articles in the INFORMED OUTLOOK.⁹

I’ve made the case for quality and environmental people "to be at the table" when the internal financial auditors develop their reports to top management and the Board of Directors. The goals are risk reduction, expanded information for top management decisions and help in satisfying the requirements of the Sarbanes-Oxley Act.

We have a full day workshop at the International Conference on ISO 9000 on March 3, 2005 at the Hilton Hotel in the Walt Disney World Resort. The conference starts February 28, 2005. You do not have to sign up for the conference in order to attend the workshop.

Control Environment - The core of any business is its people - their individual attributes, including integrity, ethical values and competence - and the environment in which they operate. They are the engine that drives the entity and the foundation of which everything rest.

ISO 9001:
4.1 QMS General Requirements
5.3 Quality Policy
5.4.1 Quality Objective
5.5.3 Internal Communication
6.2.1 Resource Management General Requirements

ISO 14001
4.1 EMS General Requirements
4.2 Environmental Policy
4.3.3 Documental Environmental objectives and targets
4.4.3 Communication

Information and Communication - Surrounding these activities are information and communication systems. These enable the entity's people to capture and exchange the information needed to conduct, manage and control its operations

ISO 9001
4.2 Document requirements
5.1 Management Commitment
5.5.3 Internal Communication
7.2.3 Customer Communication
7.4.2 Purchasing Information
5.5.1 Responsibility and Authority

ISO 14001
4.3.4 Document Control
4.4.3 Environmental Records

Risk Assessment - The entity must be aware of and deal with the risks it faces. It must set objectives, integrated with the sales, production, marketing, financial and other activities so that the organization is operating in concert. It also must establish mechanisms to identify, analyze and manage related risks.

ISO 9001
8.2.3 Monitoring & Measurement of Processes
8.2.4 Monitoring & Measurement of Product
8.3 Analysis of data

ISO 14001
4.3.1 Identify Environmental Aspects
4.4.6 Operational Control (Significant aspects)

Monitoring - The entire process must be monitored and modifications made as necessary. In this way, the system can react dynamically, changing as conditions warrant.

ISO 9001
8.2.1 Customer Satisfaction
8.2.3 Monitoring & Measurement of Processes
8.2.4 Monitoring & Measurement of Product
8.4 Analysis of data
8.5.1 Continual Improvement
5.6 Management Review

ISO 14001
4.5.1 Monitoring & Measurement of key characteristics
4.2 Environmental Policy (continual improvement)
4.6 Management Review

Control Activities - Control policies and procedures must be established and executed to help ensure that the actions identified by management as necessary to address risks to achievement of the entity's objectives are effectively carried out.

ISO 9001
8.5.2 Corrective Action
8.5.3 Preventive Action
8.5.1 Continual Improvement
8.2.2 Internal Audit

ISO 14001
4.4.2 Nonconformance and Corrective and Preventive Action

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.